On 2011-02-15, Kelly Dean <kellydea...@yahoo.com> wrote: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was published > Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. Squeeze uses > 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel fixed, or does it have > the vulnerability?
My interpretation of the overview provided by the NVD is that the vulnerability applies only to XFS, and can only be exploited by authenticated users. But I would be interested to hear the opinions of more knowledgeable users. > > http://security-tracker.debian.org/tracker/status/release/stable currently > says that "the stable" suite has the vulnerability, and Squeeze is currently > the latest stable, but the page doesn't explicitly say that Squeeze is the > latest stable and has the vulnerability, and there's no timestamp on the > page. The last-modified header appears to have the common bug of reporting > the server's current clock time rather than the page's last modified > timestamp, so that's useless too. > I suspect that the page is dynamically generated, so the last-modified header will always report the time at which the underlying database query was executed. > Did Squeeze really get released with a high-urgency remote kernel > vulnerability which was published four months earlier? > > > > > -- Liam O'Toole Cork, Ireland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrniln44v.2hf.liam.p.otoole@dipsy.tubbynet
